CISA’s Secure by Design initiative in limbo after key leaders resign
The future of the federal government’s software-security advocacy campaign is in doubt following the departure of the two Cybersecurity and Infrastructure Security Agency officials who oversaw the program.
CISA senior advisers Bob Lord and Lauren Zabierek, who led the agency’s Secure by Design initiative, announced on Monday that they were taking the Trump administration’s deferred-resignation offer and leaving the government.
Lord, a former Yahoo and Democratic National Committee security executive, said he would continue “contributing to the Secure by Design movement” after “taking a short break.” Zabierek, who previously led the Cyber Security Project at Harvard’s Belfer Center and served as a U.S. Air Force intelligence officer, called her departure “one of the toughest decisions of my career.”
Their exits are the latest blow to CISA’s already-imperiled Secure by Design program, which lost its third senior adviser, Jack Cable, at the end of the Biden administration.
“The public was very lucky to have Bob and Lauren and Jack Cable serve,” said Ari Schwartz, a former White House cyber official who is now the managing director of cybersecurity services at Venable. “They all could have been making a lot more money in the private sector with less bureaucracy to deal with. I have seen the results of their efforts and we are all more secure and safer because of their very pragmatic and constructive efforts.”
Lord’s departure is an especially big setback for Secure by Design, according to one person familiar with the matter, who requested anonymity to speak candidly.
“Not having him there hurts it,” this person said. “SBD could still succeed without him, but the road will be much tougher.”
CISA created the Secure by Design project in April 2023 in an effort to encourage software makers to take cybersecurity more seriously and weave it more deeply into their products. The advocacy campaign reflected CISA’s attempt to implement a key pillar of the Biden White House’s cyber strategy — shifting the security burden from users to tech giants — through a voluntary, rather than regulatory, approach.
The program’s biggest accomplishment was convincing more than 250 tech companies to sign a seven-part pledge that committed them to making progress on issues like multifactor authentication, default passwords and security patching. Large tech companies like Microsoft and Google began publicizing their efforts to improve customer security. CISA also issued best-practices guidance under the Secure by Design banner to help companies improve their software, and it partnered with other countries to raise the global visibility of software security concerns.
Complaints of CISA overreach
But tensions between the government and the tech industry plagued the Secure by Design campaign, as companies bristled at CISA’s attempts to pressure them to do more on security. Industry executives pushed back on CISA’s original vision for the pledge, which involved firmer commitments than the final product contained. Companies worried that CISA was effectively trying to regulate software security, and they began complaining that the young agency was overstepping its bounds.
After Donald Trump’s re-election victory, cyber experts began predicting that Secure by Design was dead in the water, as the new, industry-friendly administration was likely to oppose any government pressure campaign to shape the private sector’s behavior. Indeed, tech companies appeared to sense an opportunity to reduce federal cyber oversight — in March, the major software trade group BSA asked the White House to “end the use of quasi-regulatory actions in cybersecurity,” though it did not mention Secure by Design.
Henry Young, BSA’s senior director for policy, told Cybersecurity Dive that his organization “looks forward to continuing to work with CISA as it sharpens its focus during the current administration,” emphasizing the importance of “policy solutions that are rooted in real-world experience and improve cybersecurity resilience.”
It remains unclear what the Trump administration plans to do with the Secure by Design campaign. Senior officials have not publicly discussed the project, and the White House did not respond to a request for comment.
In a statement, acting CISA Director Bridget Bean said her agency “remains laser-focused” on improving cybersecurity through partnerships, called corporate responsibility a “critical element” of that goal, and said CISA continues to “urge companies to develop products that are secure by design, instead of passing the cost of poorly designed products on to consumers.”
She added, however, that CISA’s approach to Secure by Design will “evolve,” though she said “our commitment to the principles remain steadfast.”
Some people who track the initiative expressed pessimism about its future.
If CISA does try to promote the pledge again, said one person who is deeply familiar with the project and other CISA initiatives, companies “will clap back.” CISA might “renew it but limit resources for it, essentially shuttering it.”
In her statement, Bean thanked Lord and Zabierek “for helping to lay the foundation on which future work in this space can be built.”
Lord, whose other CISA work included memory safety, told Cybersecurity Dive that the Secure by Design initiative “created real momentum in the software industry toward safer products.” He said he planned to “build on those successes from outside the government,” adding, “From the messages I’ve received privately today, I’m optimistic there are many people who are willing to help.”
Zabierek, whose other projects included K-12 cybersecurity, declined to comment for this story. In an email to her colleagues on Friday, she said that she would continue “wrapping up my work on Secure by Design” and another CISA project, the Cyber Response and Recovery Fund, “until we are told to go on administrative leave (date to be determined).”
“This role,” she wrote, “was my dream job.”
Source link
